Critical vulnerabilities detected in TrueCrypt crypto software
James Forshaw, a member of the Google Project Zero team, discovered two critical vulnerabilities in the TrueCrypt driver that the program installs on Windows systems. Security errors CVE-2015-7358 , CVE-2015-7359 allow cybercriminals to escalate privileges by gaining full administrator rights and access to all user data, even if they are encrypted.
Vulnerabilities went unnoticed during an independent audit of application code. The verification consisted of two stages and was carried out by iSEC Partners engineers after TrueCrypt developers unplannedly announced the closure of the project, saying that its code could contain vulnerabilities.
Forshaw believes that the vulnerabilities he found are not backdoors. The researcher noted that, apparently, the audit participants simply did not notice them.
Auditors focused specifically on the search for “bookmarks” in the code - suspicions of their presence appeared after strange statements by the original TrueCrypt developers, which remained anonymous.
The researcher has not yet provided detailed data, saying that he wants to give the fork authors a week to fix bugs. Since the tool is no longer officially developed, security holes will not be fixed directly in the code of the initial application. However, the bugs were fixed in the open-source VeraCrypt program, which is based on TrueCrypt.
VeraCrypt 1.15 releasedat the end of September, contains patches for vulnerabilities found by Forshaw.
According to Artem Shishkin, an expert at Positive Research, it’s very easy to exploit the vulnerabilities found by Forshaw. "The built-in static verifier does not complain about this, but those who" fumble "in security will be the first to get it checked." The expert is not sure that the vulnerabilities were “bookmarks”: “It is doubtful, most likely, the trash left over from the time of Windows XP”.
Dmitry Sklyarov, head of Positive Technologies application analysis department, suggested that the detected vulnerabilities could indeed be left intentionally by TrueCrypt developers.
“The error allows you to make rather than Privilege Escalation, but to get access to the TrueCrypt mounted under another user without administrator rights. That is, the vulnerability does not allow gaining control of the machine, but ensuring confidentiality is clearly lame.
In the light of these facts, I, as a professional paranoid, state that these vulnerabilities may well be planned bookmarks. And the fact that they look so much like "gouging" makes them good bookmarks, because specially created vulnerabilities are quite difficult to keep invisible. "
According to Sklyarov, during a quality security audit, such errors should have been detected:
“In such cases, they always look for specific types of vulnerabilities - from the description it seems that in the conducted audit backdoors and algorithmic bookmarks were searched. So, a good audit should definitely identify such holes. ”